Soco404: Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload

Wiz Research has uncovered a new iteration of a multiplatform cryptomining campaign designated as Soco404. This campaign utilizes fake error pages as a deception technique to conceal malicious payloads from users and security tools. The primary objective is resource hijacking for cryptocurrency mining purposes across multiple platforms. While specific threat actor attribution remains unconfirmed in this report, the campaign represents a persistent threat to cloud and infrastructure security. The use of fake error pages indicates a focus on defense evasion to maintain persistence within compromised environments. Organizations should monitor for unauthorized mining activity and investigate unexpected error pages serving scripts. Mitigation involves robust endpoint detection and network traffic analysis to identify cryptomining signatures. The severity is assessed as medium due to the resource consumption impact rather than data exfiltration. Continued monitoring is advised to track evolving tactics within the Soco404 campaign infrastructure.

Wiz Research has identified a new iteration of a broader malicious cryptomining campaign, which we’ve dubbed Soco404.

Wiz Research has uncovered a new iteration of a multiplatform cryptomining campaign designated as Soco404. This campaign utilizes fake error pages as a deception technique to conceal malicious payloads from users and security tools. The primary objective is resource hijacking for cryptocurrency mining purposes across multiple platforms. While specific threat actor attribution remains unconfirmed in this report, the campaign represents a persistent threat to cloud and infrastructure security. The use of fake error pages indicates a focus on defense evasion to maintain persistence within compromised environments. Organizations should monitor for unauthorized mining activity and investigate unexpected error pages serving scripts. Mitigation involves robust endpoint detection and network traffic analysis to identify cryptomining signatures. The severity is assessed as medium due to the resource consumption impact rather than data exfiltration. Continued monitoring is advised to track evolving tactics within the Soco404 campaign infrastructure. Wiz Research has identified a new iteration of a broader malicious cryptomining campaign, which we’ve dubbed Soco404. Wiz Research has identified a new iteration of a broader malicious cryptomining campaign, which we’ve dubbed Soco404.